problems of the SNI from Lee

problems of the SNI from Lee

I am Lee. These
days, I am just trying to study the SNI of Grizzly, even after read your source
code of the SNITest.java, I still do not know how to let it works. Because, i do not understand:

1.How to bind to my Grizzly HTTP server
supporting the HTTPS(SSL/TLS) to proved web services? Just using the TCPNIOTransport to bind a
different port or need to bind to as same port as the Http server?

2.Could you explain the meaning of the
code with blue color as //below:

Do I need this line in my own code?

Can I switch to different SSL server configure for their
host for supporting SNI in there?

Re: problems of the SNI from Lee

Administrator

Hi Lee,

am I understanding correctly, you're trying to use SNI support with
Grizzly HttpServer?I am Lee. These
days, I am just trying to study the SNI of Grizzly, even after
read your source
code of the SNITest.java, I still do not know how to let it works.
Because, i do not understand:

1.How to bind to my Grizzly HTTP server
supporting the HTTPS(SSL/TLS) to proved web services? Just
using the TCPNIOTransport to bind a
different port or need to bind to as same port as the Http
server?

I can provide a sample by the end of the week.
The idea is to use HttpServer AddOn mechanism and update the
HttpServer FilterChain to use SNIFilter instead of SSLBaseFilter.

2.Could you explain the meaning of the
code with blue color as //below

It just associates the hostname property with the connection.

Do I need this line in my own code?

no. You may want to read this value, but definitely not set it.

Can I switch to different SSL server configure
for their
host for supporting SNI in there?

Re: problems of the SNI from Lee

Many thanks for you kindest reply. And Yes, I am trying to setup my Grizzly HttpServer provided the HTTPS services for the multi virtual host via the SNI API?

currently, I have added a NetworkListener to the httpServer & replaced the SSLBaseFilter in the filterChain of that listener by a new SNIFilter&Resolver. But, I got the NullPointerException @ SNIFilter.handleRead(SNIFilter.java:241);

//LOGSINFO co.iueo.server.IueoSNIService - setupSNI and sniServerConfigResolver is:co.iueo.server.IueoSNIService$1@43bd05c9INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 0 org.glassfish.grizzly.ssl.SSLBaseFilter$SSLTransportFilterWrapper@1772594dINFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 1 org.glassfish.grizzly.ssl.SSLBaseFilter@5d44bbf0INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 2 org.glassfish.grizzly.http.HttpServerFilter@14d11fffINFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 3 org.glassfish.grizzly.utils.IdleTimeoutFilter@3f69d3e1INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 4 org.glassfish.grizzly.http.server.FileCacheFilter@3ad44d70INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 5 org.glassfish.grizzly.websockets.WebSocketFilter@4237fae1INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 6 org.glassfish.grizzly.http.server.HttpServerFilter@5e052bbfINFO co.iueo.server.IueoSNIService - setup SNI and TransportFilter is removed. INFO co.iueo.server.IueoSNIService - setup SNI and SSLBaseFilter is changed to be org.glassfish.grizzly.sni.SNIFilter@2f021d45INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 0 org.glassfish.grizzly.sni.SNIFilter@2f021d45INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 1 org.glassfish.grizzly.http.HttpServerFilter@14d11fffINFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 2 org.glassfish.grizzly.utils.IdleTimeoutFilter@3f69d3e1INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 3 org.glassfish.grizzly.http.server.FileCacheFilter@3ad44d70INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 4 org.glassfish.grizzly.websockets.WebSocketFilter@4237fae1INFO co.iueo.server.IueoSNIService - setup SNI and Filters in the FilterChain is 5 org.glassfish.grizzly.http.server.HttpServerFilter@5e052bbf

….java.lang.NullPointerException at org.glassfish.grizzly.sni.SNIFilter.handleRead(SNIFilter.java:241) at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)

////This NullPointerException, might because I removed the TransportFilter of the SSLBaseFilter when replacing it. Should I create a new TCPNIOTransport & new FilterChain instead of the NetworkListener? If Yes, how could I get all the other Filters like HttpServerFilter, IdleTimeoutFilter…..

thanks again, having a great day!Lee

<quote author='oleksiys'>Hi Lee,

am I understanding correctly, you're trying to use SNI support with Grizzly HttpServer?I am Lee. These days, I am just trying to study the SNI of Grizzly, even after read your source code of the SNITest.java, I still do not know how to let it works. Because, i do not understand:>> 1.How to bind to my Grizzly HTTP server supporting the HTTPS(SSL/TLS) > to proved web services? Just using the TCPNIOTransport to bind a > different port or need to bind to as same port as the Http server?>I can provide a sample by the end of the week.The idea is to use HttpServer AddOn mechanism and update the HttpServer FilterChain to use SNIFilter instead of SSLBaseFilter.

> 2.Could you explain the meaning of the code with blue color as //below>It just associates the hostname property with the connection.

> Do I need this line in my own code?>no. You may want to read this value, but definitely not set it.

> Can I switch to different SSL server configure for their host for > supporting SNI in there?>Sure.

> If it return null, what will be happened for that host?>The SNIFilter's default server SSLEngineConfigurator will be used.

….
java.lang.NullPointerException
at
org.glassfish.grizzly.sni.SNIFilter.handleRead(SNIFilter.java:241)
at
org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at
org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at
org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at
org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)

////
This NullPointerException, might because I removed the
TransportFilter of the SSLBaseFilter when replacing it.
Should I create a new TCPNIOTransport & new FilterChain
instead of the NetworkListener?
If Yes, how could I get all the other Filters like
HttpServerFilter, IdleTimeoutFilter…..

thanks again, having a great day!
Lee

<quote author='oleksiys'>
Hi Lee,

am I understanding correctly, you're trying to use SNI support
with
Grizzly HttpServer?
I am Lee. These days, I am just trying to study the SNI of
Grizzly, even
after read your source code of the SNITest.java, I still do not
know how
to let it works. Because, i do not understand:
>
> 1.How to bind to my Grizzly HTTP server supporting the
HTTPS(SSL/TLS)
> to proved web services? Just using the TCPNIOTransport to
bind a
> different port or need to bind to as same port as the Http
server?
>
I can provide a sample by the end of the week.
The idea is to use HttpServer AddOn mechanism and update the
HttpServer
FilterChain to use SNIFilter instead of SSLBaseFilter.

> 2.Could you explain the meaning of the code with blue color
as //below
>
It just associates the hostname property with the connection.

> Do I need this line in my own code?
>
no. You may want to read this value, but definitely not set it.

> Can I switch to different SSL server configure for their
host for
> supporting SNI in there?
>
Sure.

> If it return null, what will be happened for that host?
>
The SNIFilter's default server SSLEngineConfigurator will be
used.

Re: problems of the SNI from Lee

For me, about this sample, one problem is that I can not switch the “JKS” files on my server, what I need to do is switch a number of the HTTPS(SSL/TLS) certificates(cer/crt format ) stored in Database which came form the clients issued by the different CAs, and I have no chance/ability to import/classify all of them one by one into one or two or even more different keystore files for the maintaining.

Also, I used the setKeyStoreBytes(…) of SLContextConfigurator for the certificate’s bytes, it not looks like supporting that Cit/Cer format . there is no other method supported the certificates as well. So, do you have any good ideas/best experiences about that?

Re: problems of the SNI from Lee

Administrator

Hi Lee,

do I understand correctly, that now it's general Java question, rather
than Grizzly, or you know how to implement what you need in Java and
just don't know how to do the same in Grizzly?
I don't have much experience in security area, but I remember I had to
convert cer certificates to jks (using Java keytool) in order to use them.

Thanks.

WBR,
Alexey.

On 01.02.15 03:51, Lee You wrote:

> Hi Alexey,
>
> So Cool, got it, and I will try it again @next few days.
>
> For me, about this sample, one problem is that I can not switch the
> “JKS” files on my server, what I need to do is switch a number of the
> HTTPS(SSL/TLS) certificates(cer/crt format ) stored in Database which
> came form the clients issued by the different CAs, and I have no
> chance/ability to import/classify all of them one by one into one or
> two or even more different keystore files for the maintaining.
>
> Also, I used the setKeyStoreBytes(…) of SLContextConfigurator for
> the certificate’s bytes, it not looks like supporting that Cit/Cer
> format . there is no other method supported the certificates as well.
> So, do you have any good ideas/best experiences about that?
>
> Thanks,
> Lee
>
>
> <quote author='oleksiys'>
> Hi Lee,
>
> I've just added the sample:
> https://java.net/projects/grizzly/sources/git/revision/ee6cff79e6f2bfcb6e079aebe3eb6b2941635d08>
> but unfortunately it requires some fixes I made on 2.3.x branch.
> With the 2.3.18 you'll need to apply a workaround (see attached).
>
> Hope it will help.
>
> WBR,
> Alexey.
>

Re: problems of the SNI from Lee

Maybe it is a general question, cause, we have to convert cer certificates to jks keystore file(s) first before using it for the normal SSL accessing. But, in SNI, it is inefficient/impossible when there are number of the certificates in that file(s).

so, we need switch to the different certificate directly in the SNI. There is no class to support it, we only have the setKeyStoreXXX in SSLContextConfigurator for the keystore.

Currently, I am trying to use KeyStoreSpi, but I don’t know how to integrate it with our SNI. Here is the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override [public NextAction handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the SNIFilter, for switching to the matched certificate directly instead of the SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that right/correct? What do you think of this? Do you have any good idea?

Thanks!

Lee

>>>>>>>>>>>>

Hi Lee,

do I understand correctly, that now it's general Java question, rather than Grizzly, or you know how to implement what you need in Java and just don't know how to do the same in Grizzly? I don't have much experience in security area, but I remember I had to convert cer certificates to jks (using Java keytool) in order to use them.

Re: problems of the SNI from Lee

Administrator

Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it
help to solve the problem?
What if inside the custom KeyManager you knew the SNI host of a
specific SSLEngine (before starting handshake) - would it help?

WBR,
Alexey.

On 02.02.15 15:36, Lee You wrote:

Hi Alexey,

Maybe it is a general question, cause, we have to convert
cer certificates to jks keystore file(s) first before using
it for the normal SSL accessing. But, in SNI, it is
inefficient/impossible when there are number of the
certificates in that file(s).

so, we need switch to the different certificate directly
in the SNI. There is no class to support it, we only have
the setKeyStoreXXX in SSLContextConfigurator for the
keystore.

Currently, I am trying to use KeyStoreSpi, but I don’t
know how to integrate it with our SNI. Here is the
keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override
[public NextAction handleEvent(FilterChainContext ctx,
FilterChainEvent event)] of the SNIFilter, for switching to
the matched certificate directly instead of the
SNIServerConfigResolver, SSLEngineConfigurator or even more.
Is that right/correct? What do you think of this? Do you
have any good idea?

Thanks!

Lee

>>>>>>>>>>>>

Hi
Lee,

do
I understand correctly, that now it's general Java
question, rather than
Grizzly, or you know how to implement what you need in
Java and just
don't know how to do the same in Grizzly? I
don't have much experience in security area, but I
remember I had to convert
cer certificates to jks (using Java keytool) in order to
use them.

Re: problems of the SNI from Lee

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking.

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore. And our Grizzly will be more flexible.

If there is any sample for it that would be great!

Thanks again!

Lee

>>>>>>>>>

Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

Maybe it is a general question, cause, we have to convert cer certificates to jks keystore file(s) first before using it for the normal SSL accessing. But, in SNI, it is inefficient/impossible when there are number of the certificates in that file(s).

so, we need switch to the different certificate directly in the SNI. There is no class to support it, we only have the setKeyStoreXXX in SSLContextConfigurator for the keystore.

Currently, I am trying to use KeyStoreSpi, but I don’t know how to integrate it with our SNI. Here is the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the @Override [public NextAction handleEvent(FilterChainContext ctx, FilterChainEvent event)] of the SNIFilter, for switching to the matched certificate directly instead of the SNIServerConfigResolver, SSLEngineConfigurator or even more. Is that right/correct? What do you think of this? Do you have any good idea?

Thanks!

Lee

>>>>>>>>>>>>

Hi Lee,

do I understand correctly, that now it's general Java question, rather than Grizzly, or you know how to implement what you need in Java and just don't know how to do the same in Grizzly? I don't have much experience in security area, but I remember I had to convert cer certificates to jks (using Java keytool) in order to use them.

Re: problems of the SNI from Lee

Hi Alexey,

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking.

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore. And our Grizzly will be more flexible.

If there is any sample for it that would be great!

Thanks again!

Lee

>>>>>>>>>

Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

In the custom KeyManager implementation (for example you can extend
the X509ExtendedKeyManager, you can chose the alias for SSLEngine
before handshake happens.
@Override
public String chooseEngineServerAlias(String string,
Principal[] prncpls, SSLEngine ssle) {
}

Yes, that is true, a specific SSLEngine is needed before
the SSL handshaking.

To add an interface in
SSLEngineConfigurator/SSLContextConfigurator/new class for
supporting custom KeyManager is really a good idea, then we
need not care about the keyStore anymore. And our Grizzly
will be more flexible.

If there is any sample for it that would be great!

Thanks again!

Lee

>>>>>>>>>

Hi
Lee,

if
you could set the KeyManager for SSLEngineConfiguration
would it help to solve the problem?What
if inside the custom KeyManager you knew the SNI host of a
specific SSLEngine (before starting handshake) - would it
help?

Maybe it is a general question, cause, we have to
convert cer certificates to jks keystore file(s) first
before using it for the normal SSL accessing. But, in
SNI, it is inefficient/impossible when there are
number of the certificates in that file(s).

so, we need switch to the different certificate
directly in the SNI. There is no class to support it,
we only have the setKeyStoreXXX in
SSLContextConfigurator for the keystore.

Currently, I am trying to use KeyStoreSpi, but I
don’t know how to integrate it with our SNI. Here is
the keyStoreSPI URL for your reference as below:

Meanwhile, I am also trying to overwrite the
@Override [public NextAction
handleEvent(FilterChainContext ctx, FilterChainEvent
event)] of the SNIFilter, for switching to the matched
certificate directly instead of the
SNIServerConfigResolver, SSLEngineConfigurator or even
more. Is that right/correct? What do you think of
this? Do you have any good idea?

Thanks!

Lee

>>>>>>>>>>>>

Hi
Lee,

do
I understand correctly, that now it's general Java
question, rather than
Grizzly, or you know how to implement what you need
in Java and just
don't know how to do the same in Grizzly? I
don't have much experience in security area, but I
remember I had to convert
cer certificates to jks (using Java keytool) in
order to use them.

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking.

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore. And our Grizzly will be more flexible.

If there is any sample for it that would be great!

Thanks again!

Lee

>>>>>>>>>

Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

Yes, that is true, a specific SSLEngine is needed before the SSL handshaking.

To add an interface in SSLEngineConfigurator/SSLContextConfigurator/new class for supporting custom KeyManager is really a good idea, then we need not care about the keyStore anymore. And our Grizzly will be more flexible.

If there is any sample for it that would be great!

Thanks again!

Lee

>>>>>>>>>

Hi Lee,

if you could set the KeyManager for SSLEngineConfiguration would it help to solve the problem?What if inside the custom KeyManager you knew the SNI host of a specific SSLEngine (before starting handshake) - would it help?

Yes, that is true, a specific SSLEngine
is needed before the SSL handshaking.

To add an interface in
SSLEngineConfigurator/SSLContextConfigurator/new
class for supporting custom KeyManager is
really a good idea, then we need not care
about the keyStore anymore. And our Grizzly
will be more flexible.

If there is any sample for it that would
be great!

Thanks again!

Lee

>>>>>>>>>

Hi
Lee,

if
you could set the KeyManager for
SSLEngineConfiguration would it help to
solve the problem?What
if inside the custom KeyManager you knew
the SNI host of a specific SSLEngine
(before starting handshake) - would it
help?